PT Data Security
Bounty Range
Up to $6,000
external program
PT Data Security
The PT Data Security Bug Bounty Program is aimed at identifying and confirming vulnerabilities that may lead to unauthorized access to data, compromise of inventory and information classification mechanisms, violation of risk and incident monitoring processes, and leakage of sensitive data from corporate repositories.
PT Data Security is a next-generation platform for ensuring complete visibility and data protection regardless of format and storage location. The product combines inventory, automated classification, and data monitoring, providing centralized control over data storage and processing infrastructure. Vulnerabilities in the product can directly affect the confidentiality, integrity, and availability of data, including critical and regulatory information.
At the time of program launch, access to product test environments is provided on a limited basis.
Extended access will be provided later, as infrastructure and support procedures become ready.
We accept vulnerability reports in the following categories (but are not limited to them):
Bypassing authentication or authorization to gain access to the product's management interface (UI), allowing viewing or modifying system configuration.
Bypassing authentication or authorization in API methods intended for managing assets, data classes, risks, and incidents, resulting in unauthorized access to sensitive information.
Obtaining credentials in plain text used by the system for inventory and classification of content in protected data repositories.
Compromising a private key or certificate used by the system to decrypt SSL/TLS traffic between users and repositories, allowing a Man-in-the-Middle attack and gaining access to transmitted data.
Note: Vulnerabilities that do not lead to real risk (for example, theoretical or without proof of exploitation) may be rejected or assessed as "informational" without monetary compensation.
Reward amounts are described in the table below:
| Severity Level | Payment Amount |
|---|---|
| Critical | 300,000 - 500,000 rubles |
| High | 150,000 - 300,000 rubles |
| Medium | 50,000 - 150,000 rubles |
| Low | 0 - 50,000 rubles |
Rewards can only be paid for attack scenarios that are reproducible on installations of the officially supported product version with all available updates. Reports about defects in unsupported versions are also accepted, but payment for such vulnerabilities is not guaranteed.
The vulnerability severity level is determined during triage and report confirmation, taking into account the impact on product security.
The final decision on the severity level of a vulnerability is made by the product security team.
All interested researchers aged 18 and older are eligible to participate in the program.
Researchers aged 14 to 18 have the right to participate in the program only with written consent from their parents or legal guardian.
Current Positive Technologies employees and former employees who left less than 3 years ago may participate in the program but cannot claim rewards.
Comply with the rules established by Positive Technologies in its vulnerability disclosure program and the rules of The Standoff 365 Bug Bounty platform.
Comply with confidentiality rules. It is prohibited to access another user's data without consent, modify and destroy it, or disclose any confidential information accidentally obtained during vulnerability research or demonstration. Intentional access to this information is prohibited and may be considered illegal.
Maintain communication with the security team, submit reports of identified vulnerabilities formatted according to requirements, and provide feedback if specialists have questions about the report.
Not disclose information about the vulnerability. The right to publish information about a found vulnerability remains with Positive Technologies.
Vulnerability disclosure is only permitted if there is a fix and a publicly registered CVE/BDU identifier.
A bug hunter may request disclosure of the report - PT undertakes to launch the process of coordinating the registration of the vulnerability identifier.
Positive Technologies does not pay rewards for:
Reports from security scanners and other automated tools;
Disclosure of non-secret information (software name or version, technical parameters and system metrics, etc.);
Information about IP addresses, DNS records, and open ports;
Problems and vulnerabilities based on the product version used without demonstrating their exploitation;
Vulnerabilities whose exploitation is blocked by security tools without demonstrating security bypass;
Reports about insecure SSL and TLS ciphers without demonstrating their exploitation;
Reports about the absence of SSL and other best current practices;
Vulnerabilities whose information was previously submitted by other competition participants (duplicate reports);
0-day or 1-day vulnerabilities whose information was obtained by the security team from open sources;
Brute force attack vulnerabilities, if the report does not describe a method with significantly higher efficiency than direct brute force.